The 2020 Pandemic has caused permanent disruption to business and critical user workflows. Most universities felt pain points during the pandemic in an effort to maintain productivity. In the post-pandemic world, most universities and staff expect remote work environments.
However, daily ransomware attacks are a reminder that while maintaining user productivity is important – ensuring security is paramount. Colonial’s pipeline’s CEO told congress that the attack occurred using a legacy Virtual Private Network (VPN) system that did not have multifactor (MFA) authentication in place. As hackers become more sophisticated and have increasing access to advanced computers, brute force attacks are becoming common, driving the higher education community to take an active approach addressing ransomware and denial-of-service attacks.
In the last thirty days, educational organizations have been the target of more than 6.1 million malware attacks, while the second-most affected industry has only seen 900,000 attacks.
A Zero trust model to defend against ransomware and malware
Many organizations are in the process of implementing a zero trust approach to improve their security posture. Unlike traditional security which assumes that every entity behind a firewall is safe, Zero trust consists essentially of three principles: use least privileged access (LPA), verify explicitly and assume a breach has occurred. Forrester Research popularized the term “zero trust.” This has in-turn created a range of definitions of zero trust, requiring a level of standardization by recognized authorities such as NCSC and NIST.
Zero trust is an approach that transcends specific technologies and point solutions. A key takeaway is that existing approaches to remote work are fraught with security risks and IT leadership must make a departure from usual operations.
Challenges of Remote Access
In a paper entitled “Solving the Challenges of Modern Remote Access”, the Gartner group outlines a decision tree which helps an IT manager understand which technologies are most appropriate for specific use cases. In particular, Gartner recommends IT managers to provide a virtual desktop/DaaS for these use cases:
1- Users need access to highly sensitive or secure data.
2- Users are using devices that are not owned by the organization (BYOD).
If the end user’s device is owned by the organization, Gartner recommends that end users install an Endpoint Protection Platform (EPP) for PCs and Macs and a Mobile Threat Defense (MTD) for mobile devices. Further Gartner recommends that admins remain aware that data is being stored on the end user’s device and take steps to mitigate the risk of those managed devices being on unmanaged networks.
Apporto believes IT admins will find a cloud desktop a more secure (witness the recent attack on software deployment vendor Kaseya) and simpler approach. A Cloud desktop reduces the attack surface significantly by allowing all data to be kept inside a secured perimeter. No data need be shared onto an unmanaged device nor need to exit the organization on an unmanaged network. IT Admins have control of data ingress and egress and can audit activity.
A More Secure Cloud Desktop: Always in the Browser
Whereas many DaaS and VDI companies deliver virtual desktops in a browser, these are often not recommended for many use cases (videoconferencing, graphical applications etc.). Most DaaS and VDI companies strongly recommend that users install and use a client and that end users secure the end point, making sure the client is always up to date. In other words, a cloud desktop that uses a client expands the attack surface to the end point and the IT team is back to managing and maintaining the endpoint’s security.
Apporto on the other hand is always delivered in the browser and does not rely on the end point to be secured. Unlike VPN access which grants the remote worker’s laptop access to the physical network and therefore can be an attack entry point which must be secured using ACLs, the Apporto desktop only allows the remote worker to interact with the delivered desktop via HTML events and messages which provide a very limited attack surface Essentially, the most critical aspect for securing an Apporto Desktop is utilizing strong user identity assurance that can be added to any SSO solution.
Zero Trust Virtual Desktop White Paper
Many legacy systems rely on Windows authentication – this is increasingly a high security risk as hackers become more adept at brute force attacks. Apporto always relies on SSO technologies and recommends that those are used in conjunction with MFA to ensure a high level of security to the desktops.
Least Privilege Access
A key rule of zero trust is to trust no one and users should be provided the least amount of privileges needed for their tasks. Apporto enables an admin to deliver:
a remote application in a browser with no access to the OS 2) a desktop with no admin privileges and/or 3) a desktop with admin privileges – all from the same portal and based on the same infrastructure.
Further, Apporto provides a simple console enabling administrators to publish or hide applications or shared folders based on the users’ role/group affiliation. For instance a user who is a member of the engineering team who does not need or have access to SAP would not see the SAP client on his desktop. Similarly a user who does not need access to specific data would not even see the shared folder. This is simply achieved in Apporto through the use of a feature called desktop variants.
One cloud desktop for all tasks:
Another historical problem with cloud desktops has been poor user experience. This is often the result of high network latency or misconfigured applications. Poor user experience is frustrating to users and leads many to use the managed cloud desktop for one set of applications and their unmanaged physical desktop for applications such as video conferencing or chat. This defeats the purpose of the managed cloud desktop since it’s often inevitable that end users will store some of the data on their physical desktop, e.g. uploading or downloading a file from a Teams chat.
Apporto addresses high network latency by utilizing a unique geo-optimizing technology. This means that Apporto can assure that an end user is always connected to the closest data center to ensure minimal network latency. Apporto’s network of data centers ensures that no user is ever further than 50ms from their cloud desktop. Research has shown that at a latency less than 50ms most people cannot distinguish between a local vs remote experience. In addition to our regional infrastructure, Apporto has implemented several additional technologies that enable the bridging of edge video and audio devices into the cloud desktop through the browser. These features allow users to remain on the cloud desktop for all their use cases – even for highly demanding applications such as video conferencing.
Apporto has leveraged decades of experience to create a secure cloud desktop service. A key goal of the service is to minimize the attack surface – this is achieved by using a clientless virtual desktop, MFA, principle of least privilege for apps and data and visibility/control of all data ingress/egress. The service provides admins with a simple control plain that makes the task simple.